Agenda and minutes

Councillors Atherstone and Stafford had given their apologies.  Councillor McCloskey would substitute for Councillor Atherstone. 

No interests were declared.

18 September 2019

The minutes of the last meeting had been circulated with the agenda.

Upon a vote it was unanimously

RESOLVED that the minutes of the meeting held on the 18 September 2019, be agreed and signed as an accurate record.

No questions were received.

Tony Oladejo, Audit and Compliance Manager / Data Protection Officer – Business Support Services

Tony Oladejo, the Audit and Compliance Manager / Data Protection Officer, introduced the cyber security update as circulated with the agenda.  The Executive Director of People & Change was also in attendance, as the Client Manager for Publica and explained that unfortunately nobody from IT had been able to attend. 

Tony explained that the team provided a service across 29 sites within the four partner councils, including Ubico, CBH and The Cheltenham Trust, serving more than 1500 users.  The strategy remained the same as last year, ‘Prevent, Detect & Recover’, focussing resilience on prevention and detection and mitigating risks associated with cyber security incidents.  The report summarised progress on specific cyber security activities from the last 12 months, as well as detailing those planned for 2020, however, for security reasons, included no specifics, though more details would be available to members on request.  A key risk in 2020 would be shadow ICT through the use of unauthorised cloud based software and whilst this was actually an Information Security risk rather than a Cyber Security risk, it would be viewed as a cyber incident/breach.  The next 12 to 24 months would see a continuation of the ‘Zero Trust’ approach to the security architecture and this would be achieved by building trust into the user’s identity, their devices and the services they access, rather than the networks they connect to.  He reported that the service had successfully achieved the Cyber Essentials Plus Accreditation, which had in turn helped with the PSN assessment and subsequent certificate and that all staff had completed the Cyber & Data Protection Awareness training.  Work in 2020 would include a review of the ICT Policies Framework, mitigation in terms of the ten remaining Windows 2008 servers and a disaster recovery desktop exercise.  A successful bid to the LGA Cyber Security Fund would co-finance ‘phishing simulation’ exercises across the partner councils and a new learning management system would be used to roll-out Cyber Awareness training to all staff and monitor compliance. 

The Audit and Compliance Manager / Data Protection Officer and Executive Director of People & Change gave the following responses to member questions:

·         All but ten servers had migrated from Windows 8, leaving only the committee management system, and an extended support contract would mitigate the issues, which represented spend of approximately £600 plus VAT.  Similarly, Windows 7 effected devices and with extended support, would be upgraded when the move to a new package was made. 

·         There were no reported instances of systems reverting to the year 19xx on the rollover from 2019 to 2020.  There was potential for the Y2038 bug to happen in 2038, but at present there were no contracts which extended beyond 5 years and therefore this would be looked at in greater detail, nearer the time.  It was likely that suppliers would be asked about their mitigations. 

·         Cyber security was taken very seriously and awareness training was mandatory for all staff, as well as members and this would form part of the induction for any new  ...  view the full minutes text for item 5.

(Including Audit scope and additional work letter)

Grant Thornton

Barrie Morris of Grant Thornton (GT), introduced his colleague Aditi Chandramouli, who would be replacing Sophie Morgan-Bower as the Engagement Manager.  Sophie explained that the Progress Report paper provided the committee with a brief summary of progress of the audit to date; reminding members that GT had issued their opinion on CBCs 2018/19 Statement of Accounts on the 30 July 2019.  She explained that GT would start planning for the 2019/20 audit and issue a detailed audit plan which would set out the way in which the audit of the council’s 2019/20 financial statements would be approached.  She noted that GT had previously brought a separate report on the certification of grants, but that this was no longer required and had therefore included their findings in this report.  The certification of the pooling of housing capital receipts claim would be finalised by the 7 February 2020 deadline.  A letter relating to audit fees had been circulated with the agenda and Barrie would present this in due course.  In terms of certification of the Housing Benefits claim, the thresholds were set by the DWP and given the sums involved, any error exceeding 2p per week had to be reported and extrapolated.  A number of errors were identified and extrapolated resulting in a Qualification Letter, though she stressed that these were not significant errors and the majority of these were less than £5 per year.  GT thanked the Housing Benefits Team for their support on this issue.  The paper highlighted a number of reports which could be of interest to members and she picked out the GT Sustainable Growth Index, a tool which sought to define and measure the components that create successful places and help frame future discussions, stimulate action and drive change. 

The following responses were given to member questions:

• The process and rules for the audit of the Housing Benefit claim were set by the DWP and were complex but made it possible to identify incorrect calculations.  The errors that had been identified were just that, errors, rather than fraudulent.  GT did share best practice, but each client was different and the opportunities for improvement had been discussed with the relevant officers.

Barrie referred members to the letter which had been circulated with the agenda.  He firstly apologised for the fact that it had been dated incorrectly.  Members would recall the audit fee letter than had come to committee last year and reminded members that the scale fee was set by the PSAA.  Things had moved on since and the letter set out the increased regulatory focus and an ever stricter quality environment.  Whilst there was no suggestion that materiality would change, the level of work having to be done was increasing and this had an impact GTs audit work and in turn, their fees.  There had been an effort to limit this increase to 20% in local authorities, which was still lower than a few years previous. 

A member noted that he felt the cost was  ...  view the full minutes text for item 6.

Lucy Cater, Assistant Director – SWAP Internal Audit Services

Lucy Cater, the Assistant Director for the South West Audit Partnership (SWAP) introduced the monitoring report as circulated with the agenda.  The report gave members the opportunity to comment on progress throughout the year.  Progress was summarised at Appendix B and since the last meeting 8 audits had been finalised, 6 were awarded ‘substantial’ control assurance and 2 ‘partial’.  On the two that were awarded partial assurances; Procurement, the follow-up was already underway and Property (use of contractors), would be included in the Plan for next year.  On ‘Integrity of Data’ the report had now been finalised and would be presented at the next meeting.  She also confirmed that work had commenced on the 2020/21 work plan and she invited members to contact her directly with any comments, or topics of interest.

The Assistant Director for the SWAP gave the following responses to member questions: 

The Executive Director of Finance & Assets highlighted the negative press that Marketing Gloucester had received following the dismissal of their Chief Executive and the subsequent claims that Marketing Cheltenham had been structured in the same way.  He assured members that unlike Marketing Gloucester, which was a separate entity from Gloucester City Council, Marketing Cheltenham was in fact part of CBC.  He had however, asked that Internal Audit undertake an audit of Marketing Cheltenham to ensure that the governance arrangements were as they should be.  Members thanked the Executive Director for this pro-active approach. 

A member suggested that there should be a review of HR policies to ensure that CBC were promoting diversity and that as an organisation, it reflected the town it represented. 

Another member queried how and when climate change would feature in the work plan, given the commitment made by this council.  The Assistant Director for SWAP suggested that this would feature in the next plan, and may focus on the investment portfolio.  The Chairman suggested that particular business areas could be reviewed.

It was unanimously

RESOLVED that the report be noted.

The Chairman thanked the Assistant Director for SWAP and the Executive Director of Finance & Assets, for their attendance.

Emma Cathcart, Counter Fraud Manager

Emma Cathcart, the Counter Fraud Manager, introduced the two draft policies.  She explained that new legislation had made it necessary to refresh the RIPA policy and rewrite the policy relating to communications data but this had also provided an opportunity to align the policies across the five CFU partner Councils.  The CFU would also be ensuring a training programme was undertaken across the same.  The refreshed RIPA policy introduced a mandatory requirement for staff to complete a Non-RIPA application form where surveillance was being undertaken but the offence did not meet the serious crime criteria to ensure best practice and minimise risk.  She noted that there would be a third policy on the use of social media and how to use it for intelligence gathering would be introduced at a later Committee following some managerial decisions regarding procedures. 

Members welcomed the revisions, commenting that the policies were well written comprehensive and straightforward. 

It was resolved unanimously

RESOLVED that having considered the Regulation of Investigatory Powers Act 2000 Surveillance and Covert Human Intelligence Source Policy and the Investigatory Powers Act 2016 Acquisition of Communications Data Policy, the comments of the Audit, Compliance and Governance Committee be forwarded to Cabinet.

The Chairman thanked the Counter Fraud Manager for her attendance.

The work plan had been circulated with the agenda.

Grant Thornton asked that the certification of grants and returns be removed from the list of annual items, as this certification no longer existed.   

There were no urgent items requiring a decision.

24 March 2020

The next meeting was scheduled for the 24 March 2020.